| From: | Joe Conway <mail(at)joeconway(dot)com> |
|---|---|
| To: | Joe Conway <mail(at)joeconway(dot)com>, Gregory Stark <stark(at)enterprisedb(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Magnus Hagander <magnus(at)hagander(dot)net>, Robert Treat <xzilla(at)users(dot)sourceforge(dot)net>, pgsql-patches <pgsql-patches(at)postgresql(dot)org> |
| Subject: | Re: dblink connection security |
| Date: | 2007-07-09 04:07:34 |
| Message-ID: | 4691B486.4090309@joeconway.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-patches |
Stephen Frost wrote:
> * Joe Conway (mail(at)joeconway(dot)com) wrote:
>> Consider a scenario like "package <x> uses <arbitrary function y in an
>> untrusted language z>". Exact same concerns arise.
>
> No, it doesn't... Said arbitrary function in y, in untrusted language
> z, could be perfectly safe for users to call.
^^^^^
*Could* be. But we just said that the admin was not interested in
reading the documentation, and has no idea if it *is* safe. And, it very
well might not be safe. We have no way to know in advance because the
language is untrusted.
> Being written in an untrusted language has got next to nothing to do with the security
> implications of a particular function. It depends entirely on what the
> function is *doing*, not what language it's written in.
Sure it matters. A function written in a trusted language is known to be
safe, a priori. A function written in an untrusted language has no such
guarantees, and therefore has to be assumed unsafe unless carefully
proved otherwise.
Joe
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2007-07-09 04:16:36 | Re: dblink connection security |
| Previous Message | Gregory Stark | 2007-07-09 04:01:27 | Re: dblink connection security |